Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
3
Replies

Campus manager and ACS

gregory.aniorte
Level 1
Level 1

‎08-26-2008 08:14 AM

I would like to limit access only to the VLAN port assignment. So I've checked the "VLAN Port Assignment" boxe in the User profile created on my ACS.

The problem is that there is no devices listed under Configuration/VLAN Port Assignment/Device Selector window/All Devices.

When I put the user on the Network Admin group, I can list devices.

Also, I found a security problem. When I limit the access to a NDG, devices under the "All Devices" respect that limitation. But when you go under Campus-Switch Clouds-Switchcloud-1, all devices are listed and I can change the vlan of any interfaces.

Is that normal ?

I'm using LMS 3.1 and ACS 4.1

When a user connects to LMS, the ACS log file show the IP source as the IP of the Ciscoworks server. Is there a way to obtain the user workstation IP to restrict access only from his IPs.

Thanks.

Labels:
0 Helpful
3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

‎08-26-2008 09:19 AM

First, the fact that Campus Topology doesn't respect ACS roles is a known limitation. This will be fixed in LMS 3.2. See CSCsk11553.

As for not seeing devices, make sure the group to which the user belongs has access to the devices NDG as well as the NDG which contains the LMS server. Make sure this has been done for the Campus Manager application.

0 Helpful

gregory.aniorte
Level 1
Level 1
In response to Joe Clarke

‎08-26-2008 09:51 AM

Thanks again Joe.

For my last question, is there a solution ?

How can I limit the access to Ciscoworks from a specific workstation ie. a specific IP as the ciscoworks do not send the host IP in the TACACS+ request ?

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to gregory.aniorte

‎08-26-2008 10:50 AM

No, this cannot be done. Roles are restricted only to user/group.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents